The present invention, in some embodiments thereof, relates to malicious activity detection and/or handling and, more specifically, but not exclusively, to systems and methods of malicious activity detection and/or handling based on event monitoring.
Conventional anti-virus (AV) applications attempt to prevent harmful or malicious transmissions such as viruses and worms from infiltrating a computing device. Typically, such applications operate on a network gateway or host and monitor incoming traffic. Conventional AV applications, whether server or host based typically rely on a so-called fingerprint matching implementation. Such a fingerprint matching mechanism aggregates a set of unique indicators, or signatures, exhibited by known malicious transmissions. The unique indicators typically represent portions of files which a particular AV vendor has previously identified as malicious, such as a signature copy and used from a particular byte range in the file, or a hash computed over a predetermined portion of a file. The result is a signature value substantially shorter that the entity (file) it represents yet which has a high likelihood of matching a signature computed from another similar instance of the file. A set of signatures of known malicious transmissions is readily comparable to an incoming transmission to determine malicious content in the incoming transmission.
During the last years system and methods for integration of behavioral and signature based security have been developed.